068065e6ac
CVE-2014-2327, missing CSRF token, is not yet resolved. It is still tracked at RHBZ #1082122. Tony Roman <troman@cacti.net> wrote at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742768: "As for CVE-2014-2327 Cross Site Request Forgery Vulnerability, I'm still working on a solution. I have some limited time this weekend to work on this fix. But I will be on the west coast for business this next week and will have time at night to work on this fix."
342 lines
13 KiB
RPMSpec
342 lines
13 KiB
RPMSpec
Name: cacti
|
|
Version: 0.8.8b
|
|
Release: 5%{?dist}
|
|
Summary: An rrd based graphing tool
|
|
|
|
# Use systemd unit files on Fedora 21+ and RHEL 7.
|
|
%if 0%{?fedora} >= 21 || 0%{?rhel} >= 7
|
|
%global _with_systemd 1
|
|
%endif
|
|
|
|
Group: Applications/System
|
|
# There's a lot of stuff in there. It's all compatible.
|
|
License: GPLv2+ and LGPLv2 and (MPLv1.1 or GPLv2 or LGPLv2) and (LGPLv2 or BSD)
|
|
URL: http://www.cacti.net/
|
|
# Source0: http://www.cacti.net/downloads/%%{name}-%%{version}.tar.gz
|
|
# To generate the notreeview tarball:
|
|
# wget http://www.cacti.net/downloads/cacti-0.8.8b.tar.gz
|
|
# tar xzf cacti-0.8.8b.tar.gz
|
|
# rm -rf cacti-0.8.8b/include/treeview/*
|
|
# rm -rf cacti-0.8.8b.tar.gz
|
|
# tar czf cacti-0.8.8b-notreeview.tar.gz cacti-0.8.8b
|
|
Source0: %{name}-%{version}-notreeview.tar.gz
|
|
Source1: cacti-httpd.conf
|
|
Source2: cacti.logrotate
|
|
Source3: cacti.README.fedora
|
|
Source4: d.gif
|
|
Source5: d.png
|
|
Source6: throbber.gif
|
|
Source7: %{name}.cron
|
|
# Add replacement files for treeview
|
|
Patch0: cacti-0.8.8a-legal.patch
|
|
# Thanks to Paul Gevers and Jan Zalesak (Debian)
|
|
Patch1: cacti-0.8.8a-replace_treeview_by_jquery.jstree.patch
|
|
|
|
# Upstream patch for XSS and SQL injection
|
|
# https://bugzilla.redhat.com/1000860
|
|
Patch2: cacti-0.8.8b-sanitize-variables.patch
|
|
|
|
# Upstream patch to fix graph comments
|
|
# https://bugzilla.redhat.com/1004550
|
|
Patch3: cacti-0.8.8b-rra-comments.patch
|
|
|
|
# Upstream patch for SQL injection and shell escaping
|
|
# https://bugzilla.redhat.com/1084258
|
|
Patch4: cacti-0.8.8b-sql-injection-shell-escaping.patch
|
|
|
|
# Upstream patch for HTML injection
|
|
# https://bugzilla.redhat.com/1082122
|
|
Patch5: cacti-0.8.8b-html-injection.patch
|
|
|
|
# Upstream patch for remote command execution
|
|
# https://bugzilla.redhat.com/1082122
|
|
Patch6: cacti-0.8.8b-remote-command-execution.patch
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
|
Requires: php, php-mysql, mysql, httpd, rrdtool, net-snmp, php-snmp
|
|
Requires: net-snmp-utils
|
|
Requires: crontabs
|
|
Requires(pre): %{_sbindir}/useradd
|
|
%if 0%{?_with_systemd}
|
|
Requires(preun): systemd
|
|
Requires(postun): systemd
|
|
Requires(post): systemd
|
|
%else
|
|
Requires(postun): /sbin/service
|
|
%endif
|
|
BuildArch: noarch
|
|
|
|
# This macro was added in Fedora 20. Use the old version if it's undefined
|
|
# on older Fedoras and RHELs.
|
|
# https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
|
|
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
|
|
|
%description
|
|
Cacti is a complete frontend to RRDTool. It stores all of the
|
|
necessary information to create graphs and populate them with
|
|
data in a MySQL database. The frontend is completely PHP
|
|
driven. Along with being able to maintain graphs, data
|
|
sources, and round robin archives in a database, Cacti also
|
|
handles the data gathering. There is SNMP support for those
|
|
used to creating traffic graphs with MRTG.
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch0 -p1
|
|
# patch1: Remove treeview
|
|
%patch1 -p1
|
|
# patch2: XSS and SQL injection, https://bugzilla.redhat.com/1000860
|
|
%patch2 -p2
|
|
# patch3: Fix graph comments, https://bugzilla.redhat.com/1004550
|
|
%patch3 -p2
|
|
# patch4: SQL injection and shell escaping, https://bugzilla.redhat.com/1084258
|
|
%patch4 -p2
|
|
# patch5: HTML injection, https://bugzilla.redhat.com/1082122
|
|
%patch5 -p2
|
|
# patch6: Remote command execution, https://bugzilla.redhat.com/1082122
|
|
%patch6 -p2
|
|
cp %{SOURCE4} %{SOURCE5} %{SOURCE6} include/js/jquery/themes/default/
|
|
rm -rf include/treeview
|
|
|
|
%build
|
|
# cacti's build is a noop
|
|
|
|
%install
|
|
rm -rf %{buildroot}
|
|
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/%{name}
|
|
%{__install} -d -m 0755 %{buildroot}/%{_pkgdocdir}
|
|
%{__install} -d -m 0755 %{buildroot}/%{_datadir}/%{name}/
|
|
%{__install} -m 0644 *.php %{buildroot}/%{_datadir}/%{name}/
|
|
%{__install} -d -m 0775 log/ %{buildroot}/%{_localstatedir}/log/%{name}/
|
|
%{__install} -m 0664 log/* %{buildroot}/%{_localstatedir}/log/%{name}/
|
|
%{__install} -d -m 0755 rra/ %{buildroot}/%{_localstatedir}/lib/%{name}/rra/
|
|
%{__install} -d -m 0755 scripts/ %{buildroot}/%{_localstatedir}/lib//%{name}/scripts/
|
|
%{__install} -m 0755 scripts/* %{buildroot}/%{_localstatedir}/lib/%{name}/scripts/
|
|
%{__install} -d -m 0755 cli/ %{buildroot}/%{_localstatedir}/lib//%{name}/cli/
|
|
%{__install} -m 0755 cli/* %{buildroot}/%{_localstatedir}/lib/%{name}/cli/
|
|
%{__install} -p -D -m 0644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/cron.d/%{name}
|
|
%{__install} -D -m 0644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/cacti.conf
|
|
%{__install} -D -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/logrotate.d/cacti
|
|
|
|
# The su parameter will trip up older logrotate versions.
|
|
# Conditionally remove it here.
|
|
%if 0%{?rhel} && 0%{?rhel} <= 6
|
|
sed -i %{buildroot}/%{_sysconfdir}/logrotate.d/cacti -e '/^[ \t]*su /d'
|
|
%endif
|
|
|
|
%{__cp} -a images/ include/ install/ lib/ plugins/ resource/ %{buildroot}%{_datadir}/%{name}
|
|
%{__cp} %{SOURCE3} ./docs/README.fedora
|
|
%{__cp} -a docs/ %{buildroot}/%{_pkgdocdir}
|
|
%{__mv} %{buildroot}/%{_datadir}/%{name}/include/config.php %{buildroot}/%{_sysconfdir}/%{name}/db.php
|
|
%{__chmod} +x %{buildroot}/%{_datadir}/%{name}/cmd.php %{buildroot}/%{_datadir}/%{name}/poller.php
|
|
ln -s %{_sysconfdir}/%{name}/db.php %{buildroot}/%{_datadir}/%{name}/include/config.php
|
|
ln -s %{_localstatedir}/lib/%{name}/rra %{buildroot}/%{_datadir}/%{name}/
|
|
ln -s %{_localstatedir}/lib/%{name}/scripts %{buildroot}/%{_datadir}/%{name}/
|
|
ln -s %{_localstatedir}/lib/%{name}/cli %{buildroot}/%{_datadir}/%{name}/
|
|
ln -s %{_localstatedir}/log/%{name}/ %{buildroot}/%{_datadir}/%{name}/log
|
|
ln -s %{_datadir}/%{name}/lib %{buildroot}/%{_localstatedir}/lib/%{name}/
|
|
ln -s %{_datadir}/%{name}/include %{buildroot}/%{_localstatedir}/lib/%{name}/
|
|
|
|
%clean
|
|
rm -rf %{buildroot}
|
|
|
|
%pre
|
|
%{_sbindir}/useradd -d %{_datadir}/%{name} -r -s /sbin/nologin cacti 2> /dev/null || :
|
|
|
|
%post
|
|
%if 0%{?_with_systemd}
|
|
%systemd_post httpd.service
|
|
%else
|
|
if [ $1 == 1 ]; then
|
|
/sbin/service httpd condrestart > /dev/null 2>&1 || :
|
|
fi
|
|
%endif
|
|
|
|
%postun
|
|
%if 0%{?_with_systemd}
|
|
%systemd_postun_with_restart httpd.service
|
|
%else
|
|
/sbin/service httpd condrestart > /dev/null 2>&1 || :
|
|
%endif
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%dir %{_sysconfdir}/%{name}
|
|
%dir %{_datadir}/%{name}
|
|
%dir %{_localstatedir}/lib/%{name}
|
|
%dir %{_localstatedir}/lib/%{name}/cli
|
|
%dir %{_localstatedir}/lib/%{name}/scripts
|
|
%doc docs/ README LICENSE cacti.sql
|
|
%config(noreplace) %{_sysconfdir}/cron.d/cacti
|
|
%config(noreplace) %{_sysconfdir}/httpd/conf.d/cacti.conf
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
|
|
%attr(0640,cacti,apache) %config(noreplace) %{_sysconfdir}/%{name}/db.php
|
|
%{_datadir}/%{name}/*.php
|
|
%{_datadir}/%{name}/images/
|
|
%{_datadir}/%{name}/include/
|
|
%{_datadir}/%{name}/install/
|
|
%{_datadir}/%{name}/lib/
|
|
%{_datadir}/%{name}/log
|
|
%{_datadir}/%{name}/plugins/
|
|
%{_datadir}/%{name}/resource/
|
|
%{_datadir}/%{name}/rra
|
|
%{_datadir}/%{name}/scripts
|
|
%{_datadir}/%{name}/cli
|
|
%{_localstatedir}/lib/%{name}/scripts/*[^p]
|
|
%attr(-,cacti,apache) %{_localstatedir}/log/%{name}/
|
|
%attr(-,cacti,root) %{_localstatedir}/lib/%{name}/rra/
|
|
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/scripts/*php
|
|
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/cli/*php
|
|
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/include
|
|
%attr(0644,root,root) %{_localstatedir}/lib/%{name}/lib
|
|
|
|
%changelog
|
|
* Mon Apr 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-5
|
|
- Patch for CVE-2014-2708 SQL injection issues in graph_xport.php
|
|
(RHBZ #1084258)
|
|
- Patch for CVE-2014-2709 shell escaping issues in lib/rrd.php
|
|
(RHBZ #1084258)
|
|
- Patch for CVE-2014-2326 stored XSS attack (RHBZ #1082122)
|
|
- Patch for CVE-2014-2328 use of exec-like function calls without safety
|
|
checks allow arbitrary command execution (RHBZ #1082122)
|
|
|
|
* Fri Feb 07 2014 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-4
|
|
- Move cron to a separate file and require crontabs (RHBZ #947047). Thanks
|
|
Jóhann B. Guðmundsson.
|
|
- Update for systemd (RHBZ #947047). Thanks Jóhann B. Guðmundsson.
|
|
- Fix rpmlint warning about spaces-to-tabs
|
|
|
|
* Wed Sep 04 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-3
|
|
- Fix comments in thumbnails (BZ #1004550)
|
|
|
|
* Mon Aug 26 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-2
|
|
- Patch for CVE-2013-5588 and CVE-2013-5589 (BZ #1000860)
|
|
|
|
* Wed Aug 07 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8b-1
|
|
- New upstream release (BZ #993042)
|
|
|
|
* Mon Jul 29 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-9
|
|
- Use %%{_pkgdocdir}, per
|
|
https://fedoraproject.org/wiki/Changes/UnversionedDocdirs
|
|
|
|
* Sun Jul 14 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-8
|
|
- Improve security description in cacti's httpd conf (RHBZ #895823)
|
|
- Use improved treeview replacement patch (RHBZ #888207)
|
|
- rpmlint fixes
|
|
- trim RPM changelog
|
|
|
|
* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8a-7
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
|
|
|
|
* Tue Jan 08 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-6
|
|
- Add note to README.fedora about the default MySQL password
|
|
- Remove reference to "docs/INSTALL" in README.fedora (RHBZ #893122)
|
|
- Add dependency on net-snmp-utils (RHBZ #893150)
|
|
|
|
* Fri Jan 04 2013 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-5
|
|
- Install our README file as README.fedora
|
|
|
|
* Fri Jan 4 2013 Tom Callaway <spot@fedoraproject.org> - 0.8.8a-4
|
|
- remove non-free treeview bits (replace with jquery future code from 0.8.9 trunk)
|
|
|
|
* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.8a-3
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
|
|
|
* Thu Jun 28 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-2
|
|
- Add plugins directory (BZ #834355)
|
|
- Drop Fedora 15 (EOL) from logrotate syntax adjustment
|
|
|
|
* Mon Apr 30 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8a-1
|
|
- New upstream release (BZ #817506)
|
|
- Drop upstreamed $url_path patch
|
|
|
|
* Wed Apr 11 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-3
|
|
- Patch $url_path to default to "/cacti/" (upstream bug 2217)
|
|
|
|
* Fri Apr 06 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-2
|
|
- Adjust httpd ACL conditionals to test the presence of mod_authz_core
|
|
(as discussed on fedora-devel)
|
|
|
|
* Wed Apr 04 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.8-1
|
|
- New upstream release (BZ #809753).
|
|
|
|
* Mon Mar 26 2012 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-4
|
|
- Adjust ACLs to support httpd 2.4.
|
|
|
|
* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7i-3
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
|
|
|
* Tue Dec 13 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-2
|
|
- Only set "su" logrotate parameter for F16 and above.
|
|
- Tweak mod_security rules.
|
|
|
|
* Mon Dec 12 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7i-1
|
|
- New upstream release (BZ #766573).
|
|
|
|
* Fri Nov 11 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7h-2
|
|
- block HTTP access to log and rra directories (#609856)
|
|
- overrides for mod_security
|
|
- set logrotate to su to cacti apache when rotating (#753079)
|
|
|
|
* Thu Oct 27 2011 Ken Dreyer <ktdreyer@ktdreyer.com> - 0.8.7h-1
|
|
- New upstream release.
|
|
- Remove upstream'd mysql patch.
|
|
|
|
* Mon Aug 08 2011 Jon Ciesla <limb@jcomserv.net> - 0.8.7g-3
|
|
- Patch for MySQL 5.5, BZ 728513.
|
|
|
|
* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7g-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
|
|
|
* Mon Jul 12 2010 Mike McGrath <mmcgrath@redhat.com> 0.8.7g-1
|
|
- Upstream released new version
|
|
|
|
* Mon May 24 2010 Mike McGrath <mmcgrath@redhat.com> - 0.8.7f-1
|
|
- Upstream released new version
|
|
- Contains security updates #595289
|
|
|
|
* Fri Apr 23 2010 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-4
|
|
- Pulling in patches from upstream
|
|
- SQL injection fix
|
|
- BZ #541279
|
|
|
|
* Tue Dec 1 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-3
|
|
- Pulling in some official patches
|
|
- #541279
|
|
- #541962
|
|
|
|
* Sun Aug 16 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7e-1
|
|
- Upstream released new version
|
|
|
|
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7d-4
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
|
|
|
* Tue Mar 31 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 0.8.7d-3
|
|
- Fix unowned cli directory (#473631)
|
|
|
|
* Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.7d-2
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
|
|
|
|
* Sat Feb 21 2009 Mike McGrath <mmcgrath@redhat.com> - 0.8.7d-1
|
|
- Upstream released new version
|
|
|
|
* Mon Jul 28 2008 Mike McGrath <mmcgrath@redhat.com> - 0.8.7b-4
|
|
- Added cli directory
|
|
|
|
* Fri Jul 18 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.7b-3
|
|
- fix my own mistake in the license tag
|
|
|
|
* Tue Jul 15 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.7b-2
|
|
- fix license tag
|
|
|
|
* Thu Feb 14 2008 Mike McGrath <mmcgrath@redhat.com> - 0.8.7b-1
|
|
- Upstream released new version
|
|
|
|
* Fri Nov 23 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.7a-2
|
|
- db.php is now 640 instead of 660 - #396331
|
|
|
|
* Tue Nov 20 2007 Mike McGrath <mmcgrath@redhat.com> - 0.8.7a-1
|
|
- Upstream released new version
|
|
- Fixes for bug #391691 - CVE-2007-6035
|